Authentication Methods

ColorCode™ is a unique authentication method designed for quick access and easy memorization. Rather than alphanumeric characters or symbols for the password, ColorCode authentication consists of a user-created color sequence (example: red, red, blue, yellow, blue, green).

Figure 1. ColorCode Authentication Screen

Endpoint Encryption integrates with Active Directory using LDAP configured in PolicyServer. Endpoint Encryption domain authentication allows Endpoint Encryption users to use single sign-on (SSO) between the operating system and the Endpoint Encryption agent. For example, Endpoint Encryption users with domain authentication must only provide their credentials once to authenticate to the Full Disk Encryption preboot, log on to Windows, and access the files protected by File Encryption.

For seamless Active Directory integration, make sure that the following requirements are met:

• PolicyServer has joined the domain.

• All Endpoint Encryption devices are in the same Active Directory and domain as PolicyServer.

• The user names configured in Active Directory exactly match the user names configured in PolicyServer (including case).

• The user names are located within a PolicyServer group and the Domain Authentication policy is enabled.

• The host name and domain name are configured correctly based on the LDAP or Active Directory server settings.

Fixed password authentication is the most common authentication method. The fixed password is created by the user and can be almost any string of numbers, characters, or symbols. You can place restrictions on fixed passwords to ensure that they are not easily compromised.

A Personal Identification Number (PIN) is common identification method requiring a unique sequences numbers. The PIN is created by the user and can be almost anything. Similar to fixed passwords, you may place restrictions on the PIN combination.

Remote Help allows Group or Enterprise Authenticators to assist Endpoint Encryption users who are locked out and cannot log on to Endpoint Encryption devices after too many unsuccessful log on attempts, or when the period between the last PolicyServer synchronization has been too long.

Self Help authentication allows Endpoint Encryption users who have forgotten the credentials to answer security questions and log on to Endpoint Encryption devices without getting Technical Support assistance. Self Help requires the Endpoint Encryption user to respond with answers to predefined personal challenge questions. Self Help can replace fixed password or other authentication methods.

Consider the following when choosing your authentication method or when configuring Self Help:

• Self Help is not available for Administrator and Authenticator accounts.

• Self Help is not available for accounts that use domain authentication. PolicyServer is unable to change or retrieve previous domain passwords.

• Self Help has a maximum of six questions for each user account. Users may be unable to log on using Self Help if more than six questions are configured.

• Self Help is only configurable with PolicyServer MMC.

Smart card authentication requires both a PIN and a physical token to confirm the user identity. Smart card certificates are associated with the user account and the user's assigned group. Once registered, the user can use smart card authentication from any Endpoint Encryption device in that group. Users are free to use any Endpoint Encryption device in their group and do not need to ask for another one-time password.

To use smart card authentication, make sure that the following requirements are met:

• The smart card reader is connected to the endpoint and the smart card is inserted into the smart card reader.

• ActivClient 6.2 with all service packs and updates installed.

  Note:

  ActivClient 7.0 and later is not supported.

• Specify the smart card PIN in the password field.

  Warning:

  Failure to provide a correct password sends a password error and may result in locking the smart card.